ass(1) autonomous system scanner


ass [-v[v[v]]] -i <interface> [-p] [-c] [-A] [-M] [-P IER12] -a <autonomous system start> -b <autonomous system stop> [-S <spoofed source IP>] [-D <destination ip>] [-T <packets per delay>]


This manual page documents briefly the ass command. This manual page was written for the Debian distribution because the original program does not have a manual page.

ASS, the autonomous system scanner, is designed to find the AS of the router. It supports the following protocols: IRDP, IGRP, EIGRP, RIPv1, RIPv2, CDP, HSRP and OSPF.

In passive mode (./ass -i eth0), it just listens to routing protocol packets (like broadcast and multicast hellos).

In active mode (./ass -i eth0 -A), it tries to discover routers by asking for information. This is done to the appropriate address for each protocol (either broadcast or multicast addresses). If you specify a destination address, this will be used but may be not as effective as the defaults.

EIGRP scanning is done differently: While scanning, ASS listens for HELLO packets and then scans the AS directly on the router who advertised himself. You can force EIGRP scanning into the same AS-Scan behavior as IGRP uses by giving a destination or into multicast scanning by the option -M.

For Active mode, you can select the protocols you want to scan for. If you don't select them, all are scanned. You select protcols by giving the option -P and any combination of the following chars: IER12, where:




1 = RIPv1

2 = RIPv2

ASS output might look a little strange, but has it's meanings:

Routers are identified by the sender's IP address of the packet. This may lead to several routers showing up as more then one since they used different sender interfaces. In the brackets, the protocols this router runs are shown.

Routing protocols are shown as one or more indented lines. First, there is the routing protocol name (like EIGRP), followed by the autonomous system number in brackets. Aligned to the right is the target network if applicable.

IGRP routing info shows the target network and in brackets the following values: Delay, Bandwidth, MTU, Reliability, Load and Hopcount.

The IRDP info is limmited to the announced gateway (router) and it's preference

RIPv1 info just gives you the classified target network (remember RIPv1 network boundaries) and it's metric

RIPv2 info contains after the target network the following infos: Netmask, next hop, arbitrary tag, and the metric. An additional line may appear on the routers section that gives you the authentication if enabled in the protocol. For text auth, the password is there.

The basic EIGRP just gives you the autonomous system number, the IOS and EIGRP version as found in the HELLO packet

The EIGRP routes section depends on the type of route. All of them include the fields destination network, destination mask and in the last line (in brackets) the values for Delay, Bandwidth, MTU, Reliability, Load and Hopcount. External routes also include the originating router, the originating autonomous system, the external metric and the source of this route.

HSRP info is not routing, therefore the third field is the virtual IP address of the standby group, followed by the state, the auth string, Hello, Hold and priority values.

OSPF info includes the destination network as well as the Area in IP format, the authentication used (and, if applicable the auth string), netmask, designated and backup router and the values for Dead, Priority and Hello.


A summary of options is included below.
Show summary of options.
-i <interface>
verbose mode
Active mode scanning
-P <protocols>
Select protocols to scan
EIGRP systems are scanned using the multicast address and not by HELLO enumeration and direct query
-a <autonomous system>
autonomous system to start from
-b <autonomous system>
autonomous system to stop with
-S <spoofed source IP>
maybe you need this
-D <destination IP>
If you don't specify this, the appropriate address per protocol is used
don't run in promiscuous mode (bad idea)
terminate after scanning. This is not recommened since answers may arrive later and you could see some traffic that did not show up during your scans
-T <packets per delay>
how many packets should we wait some milliseconds (-T 1 is the slowest scan -T 100 begins to become unreliable)


This manual page was written by Vince Mulhollon <[email protected]>, for the Debian GNU/Linux system (but may be used by others).